Russian Hackers Hit SOHO Routers in Cyberespionage Campaign

Hijacking DNS Settings Helps Russian Hackers Decrypt TLS Traffic, Microsoft Warns Mathew J. Schwartz (euroinfosec) • April 7, 2026

Hackers tied to Russian military intelligence are continuing to refine attacks against home and small office routers for cyberespionage purposes, warn threat intelligence researchers at Microsoft.

See Also: Debunking the Myth: Securing OT Is Possible

A newly spotted campaign tied to Russia's GRU Military Unit 26165 has been hacking SOHO routers domain name system settings in a manner that lets intelligence agents spy on normally encrypted Transport Layer Security traffic, says a Tuesday report from Microsoft.

Since at least August 2025, more than 200 organizations and 5,000 consumer devices have been exposed to the attackers' DNS subterfuge. The targets span sectors including government, IT, telecommunications and energy organizations.

The nation-state hackers tied to the attacks are variously tracked by threat intel monikers that include APT 28, Fancy Bear ...